Secure, remote support platform with an edge device

ABSTRACT

A secure, remote support platform allows secure, remote device support with an edge device ( 101 ) and a trusted intermediary server resource (“trusted server”). The trusted server ( 113 ) is an endpoint for secure connections with a support application used by a remote technician and with the edge device. The secure connections carry messages with inputs, data requests, and feedback. Messages between the trusted server and support edge device are secured in a manner that allows each endpoint to validate the messages. The remote technician controls the edge device to assesses a target device connected to the edge device. The edge device presents emulated peripheral devices to the target device while capturing the target device desktop with a camera or presents remotely controlled peripherals and returns screen captures or updates of the desktop from the target device.

TECHNICAL FIELD

The disclosure generally relates to the field of digital processingsystems, and more particularly to support.

BACKGROUND ART

Technical support or information technology (IT) support has grown withcomputing technology and the Internet. Technical support can be remoteor on-site. Across business and consumer domains, remote technicalsupport is preferred due to lower cost and greater practicality thanon-site support. Support technicians use remote support software toreduce the gap between on-site support and remote phone support. Withremote support software, a support technician can collect informationabout a device and remotely control the device.

While remote support software can be used to address a number of issuesof a computer (e.g., configuration changes, application settings,software installation and updates), remote support software relies uponthe computer having an established Internet connection. To have anestablished Internet connection, the computer loads network interfacedrivers after boot-up of the operating system and needs to be properlyconfigured for connecting to an available network. A variety of issuescan prevent a computer from loading its operating system, including usererror. A problem could be occurring as part of the boot up sequence ordue to a power-related issue. Furthermore, secure remote support relieson virtual private network (VPN) software or network access control(NAC) software that would not be executing if the computer cannot bootup. In addition to boot-up or power related issues, other softwareissues may prevent the computer from executing or loading VPN or NACsoftware.

BRIEF DESCRIPTION OF THE DRAWINGS

Aspects of the disclosure may be better understood by referencing theaccompanying drawings.

FIG. 1 is a diagram of an example remote support system that allows forsecure device support and/or management via an edge device.

FIG. 2 is an example depiction of hardware components for an edge devicecapable of remote support of a target device.

FIG. 3 depicts a flowchart with example operations for protectedoperation of an edge device using cryptographic keys.

FIG. 4 depicts a flowchart with example operations for managing messagepaths in accordance with an operating state of a target device.

FIG. 5 is a conceptual diagram of communication of messages between anedge device and a target device for remote support of the target device.

FIG. 6 is a flowchart of example operations for processing a remotesupport message according to a support message protocol at a targetdevice when the remote support process is available at the targetdevice.

FIG. 7 is a diagram of example operations performed by a trusted serverand a remotely controlled support edge device for communicating supportmessages to the edge device.

FIG. 8 is a diagram of example operations performed by a trusted serverresource and a remotely controlled support edge device for communicatingfeedback messages to the trusted server.

FIG. 9 is a diagram of example operations performed by a remotelycontrolled support edge device and a target device.

FIG. 10 depicts an example computer system with a remote support messageprocessor.

DESCRIPTION OF EMBODIMENTS

The description that follows includes example systems, methods,techniques, and program flows that embody aspects of the disclosure.However, it is understood that this disclosure may be practiced withoutthese specific details. For instance, this disclosure refers to auniversal serial bus connection in illustrative examples. Aspects ofthis disclosure can be instead applied to other wired connection mediumsand wireless connections. In other instances, well-known instructioninstances, protocols, structures and techniques have not been shown indetail in order not to obfuscate the description.

Overview

A system has been created that facilitates comprehensive and secure,remote technical support that can be troubleshooting and/or devicemanagement. The system includes an edge device that operates as a highlysecured conduit for a technician to view, access, and control a targetdevice via a secure protocol over a connection medium between the edgedevice and the target device. An authenticated user can submit anauthorized request to initiate a support session. The authorized requestmay be for the edge device to connect to a chosen network. After theedge device obtains network access, the edge device establishes a secureconnection with a trusted server. A technician authenticated to thetrusted server and authorized to access the edge device also establishesa secure connection with the trusted server.

Over these secure connections, the remote technician sends supportmessages to the edge device. These support messages can carry payloadsincluding requests to collect data about the target device, controlcommands, and peripheral device inputs to the target device. The edgedevice's architecture allows it to present numerous peripheral devicesto the target device while preserving compactness of the edge device.The edge device also obtains feedback (e.g., screen updates) from thetarget device and communicates the feedback to the remote technician infeedback messages over the secure connections. The messages communicatedbetween the trusted server and the edge device are signed by the senderand validated by the recipient.

Between the edge device and the target device, support messages caninitially be universal serial bus (USB) standard compliant messages thatare routed through a hub and switches of the edge device according toperipheral device emulation. Based on satisfying a mode change criterion(e.g., successful loading of the target device's operating system), theedge device can switch to a different message path that utilizes aback-to-back USB microcontrollers architecture that communicates theremote technician messages more efficiently. Messages can becommunicated more efficiently by passing through support messages thatinclude peripheral inputs from the remote technician instead ofemulating peripheral devices based on peripheral inputs from a remotetechnician. In addition, the more direct path for peripheral inputs andfeedback avoid the delay common when emulating peripheral devices. Thisfaster communication path passes the support messages to a remotesupport message process/application on the target device. The remotesupport message process processes the received support messages todetermine whether the messages are legacy messages to be passed on to aspecified driver or messages to be examined and unpacked according to aremote support messaging protocol for the remote device support.

Remote Support Platform Example Illustrations

FIG. 1 is a diagram of an example remote support system that allows forsecure device support and/or management via an edge device. Numerous usecases are possible, but FIG. 1 only depicts two use cases: 1) a thirdparty support service to consumer customers and 2) internal enterprisedevice support/management. In both use cases, the support systeminvolves remote technicians, trusted intermediary server resources, andsupport edge devices. The support edge devices (“edge devices”) can beconsidered local support relays for the remote technicians.

In the consumer scenario, the remote technicians may be technicians of asupport service associated with a retailer of edge devices or may betechnicians of a third party service distinct from the entity thatprovides the edge devices to consumers. Regardless of the specificrealization, roles or identifiers of technicians 123 are associated withan edge device 101. Either through role based association or useridentifier based association, the technicians 123 have been authorizedto access the edge device 101 as indicated in an authentication andauthorization database 115. The database 115 is accessible by a server113, which is a trusted server resource from the perspective of the edgedevice 101. A single server 113 is depicted, but implementations mayhave multiple trusted servers and a load balancer(s). The technicians123 and the edge device 101 can communicate with the server 113 via anetwork 102. The server 113 may be a trusted server resource of anentity that also manages the technicians 123 or a separate entity. Theserver 113 has been supplied or given access to security keys 117 thatallow access of edge devices including the edge device 101. Thesesecurity keys 117 have been previously associated with or assigned toedge devices in a secure manner, such as at secure facility during themanufacturing process of the edge devices.

A consumer location 145 (e.g., a small business, residential unit, etc.)has several devices with connection ports (e.g., a universal serial businterface) that can be supported via the edge device 101. Solely forexample illustration of the variety of devices that can be supported,FIG. 1 depicts the consumer location 145 as having a gaming console 143,an espresso machine 141, and a computer 103. Each of these can bereferred to as a “target device” when connected to the edge device 101for support. This example illustration of the consumer use case uses thecomputer 103 as the target device.

As a security measure to protect the edge device 101 from beingactivated and used by a bad actor, connecting the edge device 101 to anetwork can be restricted to a secure configuration request. The edgedevice 101 includes components which support wireless communication forconfiguration and activation related communications. The wirelesscommunication may be based on a near field communication (NFC)connection, a Bluetooth connection, etc. Activation of components forwireless communication may be dependent upon activation of a button orother hardware based mechanism of the edge device 101. The edge device101 transmits a unique identifier 108 (e.g., serial number or globallyunique identifier) via the components for wireless communication.Embodiments of the edge device 101 may display the unique identifier ordisplay an encoding (e.g., barcode) of the unique identifier instead oftransmitting. A user at the consumer location 145 authenticates with anapplication for the edge device 101 that is installed and executed on amobile device 107, such as a smartphone or tablet. The application onthe mobile device 107 (or a third party authentication application)sends an authentication message 109 with user credentials. Ifauthentication fails, then the user cannot activate the edge device 101.Assuming successful authentication, the application on the mobile device107 presents via a user interface a listing of detected edge devices,which include the edge device 101 in this example based on transmissionof the identifier 108. The application on the mobile device 107 alsopresents the authenticated user with network connection options for theedge device 101 (e.g., cellular network, wireless local area network(LAN), etc.). The edge device 101 may communicate networkingcapabilities, at least for configuration and activation, with itsidentifier 108. Based on selection of a connection option, theapplication on the mobile device 107 generates a configuration requestmessage 111 indicating the selected option (e.g., a named wireless LAN)and transmits the request message 111 to the server 113. The server 113accesses the database 115 to determine whether the authenticated user isauthorized to at least select a network connection option for the edgedevice 101. If so, then the server 113 (or security software running onthe server 113) signs the request 111 and generates a signed configurerequest 119. The server 113 signs with the one of the keys 117 thatcorresponds to the edge device 101. The server 113 may lookup the keywith the unique identifier communicated in the configure request message111. The server 113 communicates the signed configure request 119 to thesupport application on the mobile device 107, and the mobile device 107forwards the signed configure request 119 to the edge device 101. Theedge device 101 validates the signed configure request 119 with alocally stored key. Assuming validation, the edge device 101 connects tothe wireless LAN named in the signed configure request 119 that has beenvalidated.

After connecting to the wireless LAN according to the signed configurerequest 119, edge device 101 establishes a remote support session with aremote support application 138 used by the remote technicians 123. Afteridentification or selection of the remote technicians 123 for the edgedevice 101, the edge device 101 establishes a secure connection (e.g.,an application layer connection secured with secure sockets layer (SSL)or Transport Layer Security (TLS)) with the server 113. The secureconnections facilitates communication of application support messagesbetween the remote technicians 123 and the edge device 101. The secureconnection leverages an open HTTPS port and thus does not necessitateopening an additional port in a firewall that likely already has a portfor HTTPS open. The edge device 101 establishes a secure connection 121with the server 113 as an endpoint.

A secure connection can also be established between the remote supportapplication 138 and the server 113 to facilitate communication ofapplication support messages between the remote support application 138and the server 113. The server 113 can determine with the database 115that the remote technicians 123 can access the edge device 101. Theserver 113 interacts with the remote technicians 123 (e.g., generates anotification to the remote technicians 123) to facilitate establishing asecure connection 125 between the remote support application 138 and theserver 113 as the endpoints. These secure connections 121, 125 and theserver 113 form a secure path. With the server 113 operating as a bridgeor switch, information securely flows between the remote technicians 123and the edge device. When the server 113 receives messages from the edgedevice 101, the messages are decrypted, validated, and then re-encryptedfor the secure connection 125 if valid. Similarly, the server 113decrypts messages from the remote support application 138, signs themessages with a key associated with the edge device 101, and re-encryptsthose signed messages for communication over the secure connection 121.

After the secure path has been established, the remote technicians 123can access and control the edge device 101 via the remote supportapplication 138. In response, the edge device 101 communicates requestedinformation, video, and/or screen updates as feedback to the remotetechnicians 123. The edge device 101 includes video streaming capabilityand can begin transmitting video of the target device 103 to the remotetechnicians 123. The remote technicians 123 can assess state of thetarget device 103 including guiding someone on power up and connectingthe edge device 101 to the target device 103. The remote technicians 123can guide a user in placing the edge device 101 in viewing range of thetarget device 103 and then control a camera of the edge device 101 tovisually assess the target device 103. The edge device 101 has an arrayof capabilities available to assess a target device based upon state ofthe target device. With more functionality available on the targetdevice (e.g., completing load of an operating system), the edge device101 provides remote technicians more information and greater access to atarget device.

With a single connection between the edge device 101 and the targetdevice 103, the remote technicians 123 can do a more in-depth assessmentof the target device 103. Prior to obtaining this level of access, someembodiments may impose another security measure that limits the edgedevice 101 to target devices associated or bound to the edge device 101.For this additional security measure, the edge device 101 communicateswith the server 113 via the secure connection 121 to determine whetherthe edge device 101 is authorized to access the target device 103.Establishing authorization of an edge device to access a target devicecan be done after a user obtains the edge device 101. The user canregister devices in association with the edge device with the supportservice to establish permission for an edge device to access devicesidentified or selected by the user.

For this example, a cable 105 connects a universal serial bus (USB)interface of the edge device 101 to the target device 103. The edgedevice 101 can present emulated peripherals 135 to the target device 103for assessing the target device 103. The edge device 101 can presentthese emulated peripherals over the cable 105 to a standard interfacedriver on the target device 103. If a remote support message process 137can be executed on the target device 103, then the edge device 101 canefficiently communicate a compact message with inputs and/or requestscorresponding to different remote peripheral devices (“remote supportmessage”). The edge device 101 establishes a message pipe 139 with theremote support message process 137 above the physical layers and cancommunicate both remote support messages and legacy USB messages.

The inputs and requests transmitted to the target device 103 from theedge device 101 originate from the remote support application 138 beingused by the remote technicians 123. The remote technicians 123 transmitremote support messages 131 with inputs (e.g., keystrokes) and requests(e.g., telemetry requests) over the secure connection 125 to the server113. The server 113 uses the key of the edge device 101 to sign theremote support messages 131 from the remote support application 138. Thesigning generates signed remote support messages 133. After decryptingthe messages 133, the edge device 101 validates the signatures and theneither communicates the validated remote support messages 133 directlyto the target device 103 or communicates the validated remote supportmessages 133 to the emulator presenting the emulated peripherals 135.The edge device 101 communicates feedback from the target device 103 insigned feedback messages 129 to the server 113 over the secureconnection 121. When the edge device 101 receives a feedback message(e.g., a remote display protocol message or a telemetry responsemessage), the edge device 101 signs the message with a key of the edgedevice 101. The server 113 decrypts the messages 129, validates thesigned messages 129, and then re-encrypts the messages to generatefeedback messages 135 if valid. The server 113 communicates the feedbackmessages 135 via the secure connection 125 to the remote supportapplication 138.

The digital signing by the trusted server 113 and the edge device 101 isone technique of securing messages between the trusted server 113 andthe edge device 101. The technique of securing messages can vary acrossembodiments with the type of key paradigm used. In some embodiments, thetrusted server 113 and the edge device 101 have a pre-shared key (PSK)that is used with a cryptographic hash function to sign messages. Tosign the messages, a hash generated with the cryptographic hash functionand PSK is appended to the message. In some embodiments, the PSK isconcatenated with the hash. In some embodiments, the edge device 101 andthe trusted server 113 secure messages by encrypting and decryptingmessages according to asymmetric cryptography. The trusted server 113and edge device 101 may be assigned decryption keys and encryption keys.Instead of validating a message signature, the trusted server 113 woulddecrypt a message from the edge device 101 using a decryption key thatcorresponds to the encryption key used by the edge device 101. Likewise,the edge device 101 would decrypt messages from the trusted server 113using a decryption key that corresponds to the encryption key used bythe trusted server 113 for messages sent to the edge device 101. Theparadigm used to secure the messages uses keys that are distinct fromthe session key(s) used for communicating the messages according to thesecure communication connection protocol (e.g., SSL or TLS).

Since the server 113 likely manages multiple secure paths between remotesupport entities and portable edge devices, the server 113 maintains aswitching or bridging structure 127. The structure 127 binds secureconnections that form a secure path via the server 113. The server 113restricts bridging or forwarding of messages to comply with the bindingsindicated in the structure 127.

While the internal enterprise support use case may vary from theconsumer use case, the support system elements and operations aresimilar. Due to the similarities, some illustration details are omittedfor the enterprise use case. An enterprise location 145 (e.g., datacenter or corporate site), houses numerous devices including a set ofcomputers 142 and a set of computers 144. In addition to technicaltroubleshooting, portable edge devices 141, 143 can be used to managedevices of the enterprise, such as ensuring timely software updates orsecure configurations. The edge devices 141, 143 are not depicted withradio waves because the enterprise use case supposes a security donglerequirement in order to activate the edge devices 141, 143 as an examplealternative to wireless communication.

After authentication and authorization for activating the edge devices141, 143, the edge devices 141, 143 respectively establish securityconnections 147, 149 with a trusted server 157 over a network 140. Thetrusted server 157 may be a trusted server resource of a third partyservice provider or of the enterprise. A single trusted server 157 isdepicted, but implementations likely have multiple trusted servers and aload balancer. As in the consumer case, global technicians 155 useinstances 158 of a remote support application to communicate remotesupport messages for accessing and controlling the edge devices 141, 143as well as target devices 142, 144. The remote support applicationinstances 158 establish secure connections with the trusted sever 157after authentication and authorization of global technicians 153 for theedge devices 141, 143. The trusted server 157 owns or has access tosecurity keys 161 for the enterprise to sign the messages communicatedbetween the trusted server 157 and the edge devices 141, 143. Asmentioned in the consumer use case, the trusted server 157 creates andmaintains a structure 159 to bind connections between remote supportapplication instances 158 and the edge devices 141, 143. Over thesesecured paths, the global technicians 155 across one or multiplelocations can support the devices of the enterprise.

Remotely Controlled Support Edge Device

FIG. 2 is an example depiction of hardware components for an edge devicecapable of remote support of a target device. FIG. 2 depicts an edgedevice 200 having a USB port for target device 201 and a USB controller202, which support communication with a target device (not depicted).The edge device 200 also includes several USB peripherals and componentswhich facilitate selectively exposing USB peripherals to a target deviceand an onboard computer 205. These USB peripherals and componentsinclude a USB hub for target device 203, a USB hub for onboard computer205, a configurable USB device 210, a human interface device (HID)emulator 213, an internal USB interface 217, a USB multiplexer 220, andswitches 221-224. The configurable USB device 210 includes a USB master211 and a USB slave 312. The edge device 200 also includes componentsfor providing an internet or network connection to the edge device 200,including a registered jack 45 (RJ45) port 216, a wireless communicationinterface 208, and a cellular/GPS interface 209. The internet connectionprovided by these components can be passed to a target device through aUSB ethernet device 214. The edge device 200 also includes a camera 206,storage 218, and a cryptographic security unit 219. The edge device 200is powered by a battery 231 which is charged through a charger port 230.

The components depicted in FIG. 2 may be soldered to one or more printedcircuit boards (PCBs) and electrically connected through PCB traces orother connectors. For example, some components, such as the wirelesscommunication interface 208, may be located on daughter board whichconnect to a motherboard hosting other components through a card edgeconnector. The connections between the components in FIG. 2 are depictedusing a single arrow; however, the components may be connected bymultiple traces or communication lanes. For example, the connectionbetween the universal asynchronous receiver/transmitter (UART) of theonboard computer 205 to the HID emulator 213 can include a first traceconnection to serve as a transmitting lane and a second trace connectionto serve as a receiving lane. Similarly, each of the components mayinclude one or more pins of which some or all may be connected to tracesfor communication with other components. The pin layout for eachcomponent can vary.

The onboard computer 205 executes remote support software 240 (“software240”) to allow for remote access by IT support personnel and control ofvarious components of the edge device 200. In general, the onboardcomputer 205 includes hardware sufficient for executing an operatingsystem, such as a processor, memory, and storage, and also includeshardware for interfacing with the USB devices and other components ofthe edge device 200. The onboard computer 205 includes or is connectedwith a UART for communicating with attached serial devices such as theHID emulator 213. The onboard computer 205 also includes one or moregeneral purpose input/output (GPIO) interfaces for communicating orreceiving information from components such as the multiplexer 220. Thesoftware 240 can include software to allow the onboard computer 205 tointeract with a trusted server and relay messages to a target device,act as a virtual network computing (VNC) endpoint, allow forestablishing secure connections using secure shell (SSH) protocols,expose application programming interfaces (APIs) for controllingcomponents (e.g., the switches 221-224, the HID emulator 213, theconfigurable USB device 210, and the camera 206), etc.

The edge device 200 connects to a target device via a USB cableconnected from the USB port for target device 201 to a USB interface onthe target device. The USB port for target device 201 is backed by a USBcontroller 202 which allows for the edge device 200 to present as a USBdevice/peripheral and facilitates communications with the target inaccordance with various USB protocols. For example, the USB controller202 can perform a handshake with the USB interface of the target deviceand establish the edge device 200 as a USB device. Since the edge device200 acts as a USB device, the USB controller 202 is configured in anupstream facing port implementation, with the target device serving asthe USB host or downstream facing port.

The edge device 200 utilizes this connection to expose various USBperipherals to the target device for the purposes of controlling andproviding remote technical support for the target device. In someimplementations, the USB controller 202 may be switchable to allow forcomplete disconnection of the edge device 200 from a target devicewithout requiring physical disconnection of a cable between the edgedevice 200 and a target device.

The USB controller 202 presents the USB hub for target device 203 andany connected USB devices to a target device through the USB port fortarget device 201. USB devices are selectively connected to the USB hubfor target device 203, and therefore selectively presented to a targetdevice through activation of the switches 221-224. Similarly, the USBdevices can be selectively connected to the USB hub for onboard computer204 for presentation to the onboard computer 205. The switches 221-224are remotely activated through the onboard computer 205 which controlsthe switches 221-224 through GPIO connections (not depicted) using aserial communication protocol, such as the Inter-integrated Circuit(I2C) Protocol or RS-232. Generally, the switches 221-224 can becontrolled by transmitting a high signal for a first setting and a lowsignal for a second setting, e.g. a first setting for outputting to theUSB hub for target device 203 and a second setting for outputting to themultiplexer 220. The switch 1 221 controls whether the USB slave 212 ofthe configurable USB device 210 is connected to the USB hub for targetdevice 203. The switch 2 222 controls whether the HID emulator 213 isconnected to the USB hub for target device 203 or the USB hub foronboard computer 204. The switch 3 323 controls to which hub the storage218 is connected. The switch 4 224 controls whether the USB ethernetdevice 214, and therefore an internet connection, is connected to theUSB hub for target device 203. The multiplexer 220 allows for the USBdevices to be connected to the onboard computer 205 through the USB hubfor onboard computer 204. The onboard computer 205 communicates with themultiplexer 220 through the GPIO pins in accordance with a serialcommunication protocol and can manipulate the multiplexer 220 toselectively connect one or more of the USB devices, such as the storage218, to the USB hub for onboard computer 204.

The HID emulator 213 mimics the outputs of USB keyboard and mousedevices and allows for keyboard and mouse input from remote IT personnelto be forwarded to a target device. The HID emulator 213 may be amicrocontroller which is configured with firmware for emulating keyboardstrokes and mouse movement. The onboard computer 205 forwards receivedkeyboard and mouse inputs to the HID emulator 213 through the UART ofthe onboard computer 205. For example, if remote IT personnel types theletter “A,” a program of the software 240 executing on the onboardcomputer 205 causes the onboard computer 205 to transmit arepresentation of the letter “A,” such as the American Standard Code forInformation Interchange (ASCII) representation, to the HID emulator 213over the UART. In response to receipt of the letter “A” representation,the HID emulator 213 outputs a message with the letter “A” in a USBprotocol compatible format which is forwarded to a target device. Thetarget device processes the message of the letter “A” as if it weretransmitted by a locally connected USB keyboard device. Because the HIDemulator 213 presents as a locally connected USB device, the HIDemulator 213 can be used to transmit keystrokes at boot up of a targetdevice to access and control a target device's BIOS or UnifiedExtensible Firmware Interface (UEFI).

The storage 218 is presented as a USB storage device through theinternal USB interface 217. The storage 218 may be flash storageattached to a microcontroller for communicating with the internal USBinterface 217. The storage 218 can be presented to the onboard computer205 to allow for IT personnel to remotely upload data, such as anoperating system image. The storage 218 can then be switched via theswitch 3 223 and presented to a target device. If the storage 218 isloaded with an operating system installation image, for example, theonboard computer 305 can control the switch 3 223 to present the storage218 at boot up of a target device so that the target device can bootusing the operating system installation image. The onboard computer 205may also present the storage 218 to a target device and create copies ofor quarantine potentially malicious files from the target device to thestorage 218. The storage 218 can then be switched back to the onboardcomputer 205 to allow for the onboard computer 205 to perform a virusscan of the files.

The configurable USB device 210 includes two USB microcontrollers: theUSB master 211 and the USB slave 212. Since the USB protocol operatesbased on a host-device relationship, a USB device cannot be presented totwo hosts simultaneously. The configurable USB device 210 solves thisissue by including two USB microcontrollers: the USB master 211 which ispresented as a USB device to the onboard computer 205 and the USB slave212 which is selectively presented as a USB device to a target device.The USB master 211 and the USB slave 212 can each be loaded withfirmware or program code to cause the microcontrollers to perform as oneor more various types of USB devices, e.g. a keyboard, a printer, amouse, a webcam, a display adapter, etc. For example, configuring theUSB slave 212 as a display adapter allows for the display of a targetdevice to be output to the USB slave 212, which may then be forwardedthrough the USB master 211, the onboard computer 205, and the internetto remote IT personnel. The USB master 211 can also be loaded withfirmware that allows for the onboard computer 205 to transmit messagesthrough the USB master 211 for configuring the USB slave 212. The“master” and “slave” terminology refer to this ability of the USB master211 to control the USB slave 212 and dynamically change its function orUSB device type. For example, if trying to diagnose a printer issue, theonboard computer 205 may configure the USB slave 212 through the USBmaster 211 to present as a USB printer device by reconfiguring thedevice descriptor fields of the USB slave 212.

In one remote support embodiment, the USB slave 212 is configured as acustom USB device for interfacing with support software installed on atarget device. In this embodiment, the USB master 211 is configured torelay messages to and from the USB slave 212 and the onboard computer205. The USB slave 212 is configured to relay messages to and from theUSB master 211 and a target device. The messages can include HIDmessages, e.g. keyboard strokes and mouse movement; digital video of adisplay of a target device; data to be stored or loaded onto a targetdevice or retrieved from the target device; messages for other emulatedUSB devices, such as a printer or storage; and messages with diagnosticinformation of the target device, such as a processor temperature,whether the processor fan is activated, whether storage drives areconnected and healthy, etc. The ability of the configurable USB device210 to relay USB messages between the onboard computer 205 and thesupport software on a target device allows for other USB devices withinthe edge device 200, such as the HID emulator 213 and the storage 218,to be disconnected from the USB hub for target device 203 and no longerpresented to the target device. So, messages transmitted to a targetdevice may follow different paths within the edge device 200 dependingon a current state of a target device. When the target device isfunctional and is executing support software for interfacing with thecustom USB device as described above, messages from remote IT personnelto the target device can be transmitted to the onboard computer 205 andthrough the configurable USB device 210. If, however, a target device isnot functional or has not yet been equipped with the support software,messages to the target device follow a different path. For example, HIDmessages are sent through the HID emulator 213 as described above, anddata to be loaded onto the device is first loaded onto the storage 218and then presented to the target device.

The external device port 207 can be used to add additional devices tothe edge device 200 which can be exposed to either the onboard computer205 or a target device. The external device port 207 can be a USB Type-Breceptacle coupled with a microcontroller configured as a USB host toallow for the connection of USB devices. For example, a USB flash driveloaded with a disk image to be copied to a target device may beconnected to the external device port 207.

The edge device 200 can receive an internet or network connectionthrough the RJ45 port 216, the wireless communication interface 208,and/or the cellular/GPS interface 209. The connection allows for remoteIT personnel to access and control the edge device 200. Additionally,the connection can be provided to a target device which is unable toestablish a connection through its own network adapters. The RJ45 port216 receives a connection through a physically connected ethernet cable,the wireless communication interface 208 receives a connection through awireless radio (e.g., a 2.4 gigahertz or 5 gigahertz radio) inaccordance with Institute of Electrical and Electronic Engineers (IEEE)Wi-Fi protocols, and the cellular/GPS interface 209 receives aconnection through communication with a cellular network in accordancewith cellular communication protocols. The wireless communicationinterface 208 can also receive a connection via a Bluetooth radio. Theinterfaces can be enabled and disabled by the onboard computer 205. Theonboard computer 205 may enable one interface at a time or prioritizewhich interface is utilized for a connection. In some implementations,the onboard computer 205 may enable the cellular/GPS interface 209 andoperate in a reduced bandwidth mode (e.g., a mode in which the camera206 is not enabled and no video traffic is being transmitted). Using theinternet connection of the cellular/GPS interface 209, remote ITpersonnel may configure the wireless communication interface 208 toconnect to a local Wi-Fi network and then disable the cellular/GPSinterface 209 and resume normal operation.

Each of the interfaces connects to or is coupled with anethernet/network chip (sometimes referred to as a Physical LayerIntegrated Circuit (PHY IC)). The ethernet chips may be integrated intothe USB hub for onboard computer 204 or integrated within theinterfaces, which are then presented as USB devices to the USB hub foronboard computer 204. To provide the connection to a target device, theconnection is forwarded to the USB ethernet device 214 which is thenselectively presented as a USB device to a target device via the switch4 224. The USB ethernet device 214 also includes an ethernet chip.Typically, communication between two ethernet chips has a minimum traveldistance of 1 meter. This distance ensures that signals between the twonetwork chips can be effectively isolated and coupled to reduce noiseand electromagnetic interference (EMI). In some implementations,capacitors and resistors can be used to appropriately condition a signalso that a shorter travel distance between two ethernet chips (e.g., twochips co-located on a circuit board) can be utilized; however, theseimplementations have been shown to cause inferior communication (e.g.,dropped packets) and cause issues with automatic detection of operatingfrequencies and other handshaking parameters. To resolve these issues,the edge device 200 utilizes the magnetics 215 to condition a connectionsignal from an enabled interface to the USB ethernet device 214. Themagnetics 215 may comprise one or more of transformers, inductors, andfilters designed to perform the isolation and coupling of the signalsbetween the enable interface and the USB ethernet device 214 andconfigured to perform functions such as impedance match, signal shaping,common mode noise reducing and EMI reducing, etc. The magnetics 215 maybe implemented within a single integrated circuit or chip module.

The wireless communication interface 208 can also include a radio forshort range communications with other devices in accordance with theBluetooth protocol. For example, the wireless communication interface208 can pair with a smartphone or similar device via Bluetooth. Thesmartphone may include an application for transmitting messages to theedge device 200 or, if the edge device 200 does not have an internetconnection, supplying an internet connection via a Bluetooth tether withthe smartphone. Additionally, in some implementations, the edge device200 may connect to a target device using the Bluetooth connectioninstead of through a physical USB connection. The edge device 200 canthen wirelessly transmit messages to the target device for providingremote IT support.

The cellular/GPS interface 209 can also be used to determine aterrestrial location of the edge device 200. The cellular/GPS interface209 may include a chip for communication with a Global PositioningSystem (GPS). Alternatively or in addition to using the GPS chip, thecellular/GPS interface 209 can determine a terrestrial location usingthe cellular radio in communication with cellular towers to triangulatea location of the edge device 200. The geographic location of the edgedevice 200 may be used to provide additional security by limiting use ofthe edge device 200 to a specified, geo-fenced area. For example, if theedge device 200 is owned and used exclusively by a company, the edgedevice 200 may be limited to use on premises of the company.

The cryptographic security unit 219 (also referred to as a TrustedPlatform Module (TPM)) is used to store one or more keys in embeddednon-volatile memory (eNVM). The eNVM may be one-time write or writeprotected memory which prevents the keys from being modified oncewritten to the eNVM. The keys may be used by the onboard computer 205 tosign and verify messages between the edge device 200 and remote ITsupport. For example, messages may be encrypted usingRivest-Shamir-Adleman (RSA) or Advanced Encryption Standard (AES)algorithms. The cryptographic security unit 219 may have shared keyswhich are the same across all manufactured edge devices 200 and uniquekeys which are different from other edge devices. For example, a uniquekey may serve as a serial number for the edge device 200 and be globallyunique among manufactured edge devices 200. Keys may be specified asrequired for performing various operations on the edge device 200 andmay be used to provide tiered levels of access to the edge device 200.For example, the edge device 200 may require that messages forconfiguring the wireless communication interface 208 be signed with akey designated for network configuration operations. Additionally,firmware or software updates sent for installation on the edge device200 can be signed using a key designated for updates, or a digest of anupdate can be generated by remote IT personnel using a secure hashalgorithm (SHA) and signed with the designated key to allow the edgedevice 200 to determine whether the update has been modified. Thecryptographic security unit 219 may include a secure crypto processor ormicroprocessor for carrying out some of the cryptographic operationsdescribed above, such as encrypting/decrypting messages, generating hashdigests, etc. The onboard computer 205 would invoke library functionsfor the cryptographic security unit 219 to carry out the cryptographicoperations, such as signing a message. The cryptographic security unit219 may also have physical security measures to provide tamperresistance.

The camera 206 is positioned to face away from the edge device 200 andcan be located in front of a target device to provide video of thedevice to remote IT personnel. The camera 206 includes hardware forcapturing digital video and transmitting the video over the USB hub foronboard computer 204 to the onboard computer 205. For example, thecamera 206 may include a chip for encoding the digital video inaccordance with an H.264/MPEG format. The onboard computer 205 can thenstream the digital video over the internet connection to software ofremote IT personnel. The camera 206 may also be equipped with autofocus,image stabilization, or zoom components and a servo motor to enablepan/tilt control. The onboard computer 205 can transmit pan/tilt or zoomcommands to the camera 206 so that the camera 206 can be remotelyadjusted by remote support. The camera can also be utilized forconfiguring the edge device 200. For example, the onboard computer 205may utilize the camera 206 to scan a Quick Response (QR) code whichcontains configuration information such as a Wi-Fi password.

The battery 231 provides power to the above described components. Powerfrom the battery 231 may be distributed to the components through tracesin a PCB. The battery 231 may be charged by connecting the charger port230 to a power source. The charger port 230 includes a receptacle, e.g.,micro-USB, for connecting a power source and can include circuitry, suchas regulators, capacitors, and resistors, for conditioning or modifyingvoltage/amps of received electrical current. The charger port 230 mayalso include circuitry for bypassing the battery 231 in order to providepower directly to the components when a power source is connected. Apower switch (not depicted) may be place in line with a power circuitprovided by the charger port 230 and the battery 231 to allow for powerto be selectively applied or disconnected from the components of theedge device 200.

The edge device 200 can include a housing for enclosing the abovedescribed components. The housing may take a number of form factors suchas a cube, rectangular prism, etc. In some embodiments, the edge device200 may be incorporated into a housing connected with or incorporated ina table, locker, or other surface on which a target device can be placedand connected to the edge device 200 for IT support. The housing caninclude cutouts for accessing ports such as the USB port for targetdevice 201, external device port 207, RJ45 port 216, and charger port230. The housing may include other physical features such as a handlefor transporting the edge device 200, ventilation holes for cooling theinternal components, a mechanism for raising the height of the edgedevice 200 for positioning the camera 206 in front of a target device,etc.

Various implementations of the edge device 200 can include more or fewercomponents than those described above and depicted in FIG. 2. Forexample, some implementations may not include an RJ45 port. Someimplementations may use a different configuration or layout of USB hubs.For example, the onboard computer 205 may utilize multiple internal USBhubs which may vary in the number of supported peripherals. In someimplementations, the edge device 200 can include an external display forpresenting information such as whether a session with IT support hasbeen established, battery level, cellular connection strength, etc. Thisinformation can also be presented through one or more light emittingdiodes (LEDs) on a housing of the edge device 200. Additionally, in someimplementations, a layout of the components can be modified or optimizedto fit various form factors for the edge device 200 as described above.For example, the components may be distributed across stacked printedcircuit boards to fit a specified housing size for an embodiment of theedge device 200.

Protocols supported and utilized by each of the above components canvary. For example, each of the USB interfaces described above maysupport one or more of the USB 2.0, 3.0, and 3.1 standards.Additionally, USB ports may be implemented as USB Type-C, Micro-USB,Mini-USB, USB Type-A, or USB Type-B receptacles. The wirelesscommunication interface 208 can support one or more of various Wi-Fiprotocols such as 802.11 b, g, n, ac, etc., and the Bluetooth chipwithin the wireless communication interface 208 can support variousBluetooth protocols such as Bluetooth 4.0, 4.1, Bluetooth Low Energy,etc. The cellular/GPS interface 209 can support one or more of variouscellular communication protocols such as third generation (3G), fourthgeneration (4G, sometimes referred to as Long-Term Evolution (LTE)), andfifth generation (5G).

FIG. 3 depicts a flowchart with example operations for protectedoperation of an edge device using cryptographic keys. FIG. 3 refers toan onboard computer as performing the operations for naming consistencywith FIG. 2, although naming of software and hardware can vary amongimplementations. Additionally, some operations below, such as validatinga key or a signature of a message, may be performed by a cryptographicmicroprocessor in communication with the onboard computer.

An onboard computer (“computer”) of an edge device writes one or morekeys to embedded non-volatile memory of a cryptographic security unit(302). In general, communications between the computer and a trustedserver may be encrypted or signed using keys or certificates which areshared among the devices. Beyond the general use of encryptedcommunications, additional security can be provided for some operationsby requiring a specific key or signature generated using the key tovalidate that the sender of a message has permission to perform aprotected operation indicated in the message. Upon a first startup orinitialization of the edge device, the computer may write one or moreshared or unique keys to the eNVM and write identifying information forthe edge device, such as a model number and a unique serial number.Alternatively, another device may write the keys to the eNVM during amanufacturing process of the edge device. The keys may be generatedusing a random number generator or pseudo-random number generator. TheeNVM may include multiple slots or addressable units for storing keys.The slots can be numbered like an array, e.g., a slot 0, 1, 2, 3, etc.Each slot may be associated with a particular operation or identifyinginformation for the edge device. Slot 0, for example, can store a serialnumber for a device, slot 1 can store a key used for tasks such assigning a software or firmware update, and slot 2 can store a unique keyused to digitally sign messages the edge device 200 sends to a trustedserver resource and validate received messages. Multiple slots may beused for general purpose unique keys that can be assigned to particularusers or IT support providers. As authorized IT support providers areremoved from a particular device, the keys may be unassigned to preventthe support providers from controlling the edge device using thepreviously assigned key. The computer can include a table thatassociates slots with their corresponding operation type, assigneduser/provider, edge device identifying information, etc. For example,the table may indicate that slot 3 includes a key for networkconfiguration operations. The keys are pre-shared keys with a trustedserver or database so that messages sent to the computer can be signedwith the appropriate keys. In some implementations, for example, if RSAencryption is being used, the computer may not share a key and, instead,may keep the key private to the edge device and share a paired key whichserves as a public key for encrypting messages. The keys may be storedby the trusted server in association with the serial number or otheridentifying information of the edge device to allow for future retrievalduring communications with the edge device. The keys can be selectivelyassigned or made available by the trusted server to users/IT supportproviders who are authorized to access and communicate with the edgedevice. Which keys are made available can vary based on a user'spermissions and access level, e.g., whether the user is an administratoror lower level user.

The computer detects a message for performing a protected operation(304). Block 304 is depicted in FIG. 3 using a dashed line as theoperations of block 304 may execute in the background and trigger theoperations described below each time a message for a protected operationis received. Messages may be received from a trusted server or from asmartphone connected over Bluetooth or other communication interface.Messages may contain a field identifying a message type which indicatesan operation or command indicated in the message. For example, messagetypes may include a keyboard/mouse input, a command to activate a switchcoupled to a USB device, a command to configure a wireless networkinterface, etc. Since the messages may be encrypted, the computer mayfirst decrypt a received message and then identify a message type orotherwise determine an operation indicated in the message. If themessage type or determined operation corresponds to an operation whichhas been identified as protected, the computer prevents the operationfrom being performed until the message has been validated. The computeralso identifies a key or signature included in the message.

The computer identifies a key in the cryptographic security unitassociated with the protected operation and/or a source of the message(306). The computer may utilize the message or operation type toidentify the corresponding slot entry in the eNVM which contains the keyassociated with the protected operation. Additionally, in someimplementations, the key associated with the protected operation may beidentified based on a source of the message. For example, one of thekeys may have been assigned to a user which has been indicated as anauthorized user of the edge device. The computer can determine that theuser was the source of the message with the protected operation andretrieve the assigned key. In some instances, the user may need to signthe message with both its assigned key and the key associated with theprotected operation in order for the message to be successfullyvalidated. In instances where the cryptographic security unit includes amicroprocessor, the computer may not retrieve a key from the eNVM of thesecurity but, instead, generate a command for transmission to thecryptographic security unit which identifies the key to be used, e.g.indicates a corresponding slot/address of the eNVM, for validation ofthe message.

The computer validates a key/signature received with the message usingthe identified key(s) (308). Since the messages are encrypted, digitalsignatures may be appended to the end of messages. The computer canidentify the key/signature after decryption and send the key/signatureto the cryptographic security unit for validation. If the key/signaturesuccessfully validates, the computer determines that the message isvalid and was not tampered with in flight to the computer. In additionto keys, other techniques may be used to validate a message. Forexample, a user's secret credential can be transmitted with eachmessage, and messages may be associated with timestamps which indicatean expiration time for the message. If the credential does not match astored credential or the timestamp has expired, the message will not bedeemed valid.

The computer determines whether the protected operation may be performed(310). If the computer successfully validates the signature/key receivedwith the message, the computer determines that the message is valid andthat the protected operation can be performed. If the computer wasunable to validate the signature/key received with the message, thecomputer determines that the message is invalid and that the protectedoperation cannot be performed.

If the operation can be performed, the computer performs the protectedoperation indicated in the message (312). For example, the computer mayexecute an operation for configuring a wireless network interface orpresenting a USB device to a target device.

If the signature was not successfully validated, the computer blocks theoperation indicated in the message from being performed (314). Thecomputer does not perform the operation and may generate and transmit analarm back to the trusted server to notify the server of the invalidmessage. The computer may take additional security actions such asdisconnecting network interfaces, disconnecting the USB connection froma target device, etc.

After performing or blocking the protected operation, the computerresumes monitoring for messages for performing protected operations(304).

FIG. 4 depicts a flowchart with example operations for managing messagepaths in accordance with an operating state of a target device. FIG. 4refers to an onboard computer as performing the operations for namingconsistency with FIG. 2, although naming of software and hardware canvary among implementations.

An onboard computer (“computer”) of an edge device determines whethersupport software is executing on a target device (402). The edge devicecan operate in different states or modes depending upon the state orfunctionality of a target device. In a first mode, the edge devicepresents various USB devices, such as storage and a HID emulator, whichcommunicate as if they were local to the target device. The first modeis useful for situations in which the target device cannot successfullyboot an operating system or if BIOS/UEFI settings of the target deviceneed to be modified. However, this mode can suffer from some performancedrawbacks such as delay in keyboard and mouse input through the HIDemulator, limitations in the ability to load data onto the targetdevice, and poor/delayed video quality of a display of the target devicewhich is provided by the camera of the edge device. Many of thesedrawbacks can be diminished by operating in a second mode or “directmode” in which a connection is established between the computer of theedge device and support software executing on the target device. Thesupport software can receive messages directly from the computer whichcan include keyboard and mouse input, data to be loaded on the device,scripts to be executed, etc. Additionally, the support software cantransmit data to the computer such as a high-fidelity stream of thetarget device's display and diagnostic information for the targetdevice. To determine in which mode to operate, the computer determineswhether the support software is executing on the target device. Thecomputer can determine this information based on whether a connectionwith the support software has been established via a presented remotesupport USB device, or the computer can receive a message from remote ITpersonnel indicating that the support software is executing and ready tobe utilized.

If the support software is not executing, the computer presents USBdevices for emulating HID and troubleshooting to the target device(404). The computer may enable and present various USB devices inresponse to messages received from remote IT support. Typically, thecomputer at least presents a HID emulator for transmitting keyboard andmouse input to the target device. The computer may also present USBdevices for providing storage/transmitting data to the target device andproviding an internet connection. The computer may also enable a cameraon the edge device for viewing the target device. The computer presentsthe USB devices by activating corresponding switches within the edgedevice. Activating the switches causes the corresponding device to beconnected to a USB hub which is connected to the target device.

The computer begins transmitting messages to the target device throughthe presented USB devices (406). For keyboard and mouse input messages,the computer communicates with the HID emulator through a UART, and theHID emulator relays the received input messages to the target device.For storage USB devices, the computer may switch a USB storage devicebetween itself and the target device so that data may be remotelyuploaded to the USB storage device and then provided/moved to the targetdevice.

The computer provides support to the target device until an operatingsystem is successfully booted (408). Through the control of remotesupport, the computer can transmit messages for controlling the targetdevice in order to install and boot an operating system. For example,the computer may boot the target device into a presented USB storagedevice which contains an operating system image and proceed withinstalling the operating system. In some instances, an operating systemmay not need to be installed but other issues, e.g., viruses or registryerrors, may prevent the operating system from booting. Once those issuesare resolved, the computer may boot the operating system of the targetdevice.

The computer attempts to install and execute support software on thetarget device (410). Since the target device is able to boot anoperating system, the target device should be capable of executing thesupport software. The computer may present the support softwareexecutable file to the target device through the USB storage device. Thecomputer can then transmit HID messages to continue with installing andexecuting the support software.

The computer determines whether the support software was successfullyinstalled and executed (412). The computer can determine whether errorsoccurred during the installation process. The computer can receive amessage from remote IT personnel indicating whether the support softwareis or is not executing and ready to be utilized.

If the support software was not successfully installed, the computercontinues providing support through the presented USB devices untilissues are resolved (414). The computer can continue transmittingmessages and providing support as described above until issues areresolved. After additional troubleshooting and repair, the computer mayagain attempt to install and execute support software on the targetdevice. Otherwise, once issues are resolved, the support process ends.

If the support software was successfully installed and executed or ifthe support software was already executing on the target device, thecomputer presents a remote support USB device for interfacing with thesupport software executing on the target device (416). The remotesupport USB device relays messages from the computer to the supportsoftware on the target device and vice versa. The remote support USBdevice may be a custom USB device that transmits messages in a protocolwhich can be interpreted by the support software. The computer presentsthe remote support USB device by activating a switch corresponding tothe device to connect the device to a USB hub presented to the targetdevice.

The computer disconnects other USB devices from the target device (418).The remote support USB device can be used to send keyboard/mouse input,transmit data, transmit video, provide an internet connection, etc. As aresult, the other USB devices presented to the target device can bedisconnected. The computer disconnects the devices by activating theirswitches to sever the connection to the target device USB hub.

The computer begins transmitting messages to the support softwareexecuting on the target device through the remote support USB device(420). The computer transmits received IT support messages through theremote support USB device instead of the other previously presented USBdevices. For example, if the computer receives keyboard/mouse inputmessages, the computer may repackage the messages for transmissionacross the remote support USB device instead of transmitting themessages to a HID emulator. The transmitted messages are received andacted upon by the support software. For example, the support softwaremay transmit the keyboard/mouse input messages to the correspondingprocesses of the target device operating system. The computer alsoreceives messages from the support software, such as a video feed anddiagnostic information, through the remote support USB device which thecomputer then forwards over the internet to a trusted server.

The computer continues providing support to the target device throughthe remote support USB device until issues are resolved (422) or thesupport/management session is terminated. Once issues on the targetdevice are resolved, the process ends.

Remote Support Message Protocol

FIG. 5 is a conceptual diagram of communication of messages between anedge device and a target device for remote support of the target device.The description of FIG. 5 does not describe the validation of signedmessages since that was already described in FIG. 1. FIG. 5 depicts acomputer system target device as an example. An edge device 503 isconnected to a target device 501 with a cable 505 as described withreference to FIG. 1. Messages are communicated from the edge device 503to the target device 501 through one of two different message controlpaths. A peripheral emulation path routes messages through a HIDemulator 517 in order to present emulated peripherals to the targetdevice 501. An alternate control path bypasses the HID emulator 517 andinstead passes messages through a back-to-back USB microcontrollerconfiguration in the edge device 503 that forms a more directcommunication path to a message pipe 511. The message pipe 511 is alogical pipe layered above lower connection medium protocols thatcarries messages to a remote support message process 509. The remotesupport message process 509 is a program or process that processesmessages from the edge device 503 according to a remote support messageprotocol.

After the edge device 503 receives a remote support message 521, amessage handler 519 executing on the edge device 503 determines if themessage should be sent to the target device 501 through the peripheralemulation path or the direct path. The path through which the remotesupport message 521 is sent is dependent on assessed capability of thetarget device 501 and/or availability of the remote support messageprocess 509 on the target device 501. In addition, the remote supportmessage 521 may contain a message type indication in a message headerthat specifies which mode or path to process the remote support message521.

If the edge device 503 determines that the remote support messageprocess 509 is unavailable and/or the target device 501 has a limitedoperational state, then the edge device 503 passes the remote supportmessage 521 to the HID emulator 517. The HID emulator 517 processes theremote support message 521 and generates a corresponding emulatormessage 513 based on the HID being presented to the target device 501.The emulator message 513 is communicated to a BIOS 510 on the targetdevice 501.

If the edge device 503 determined that the remote support messageprocess 509 is available and/or the target device 501 has sufficientoperational state to execute the remote support message process 509,then the edge device 503 routes the message 521 through the remote USBdevice in the edge device 503 and transmits the message 521 via amessage pipe to the remote support message process 509.

Messages communicated through the peripheral emulation message pathallow the edge device 503 to interact with the target device 501 withany of the emulated peripherals 507 through a single-connection USBinterface. The peripheral emulation message path may be used when thetarget device 501 has not yet satisfied functionality criteria forutilization of the direct path. Messages communicated via the peripheralemulation path can be USB standard compliant messages with fieldsindicating destination, message type (e.g., keyboard stroke), and datawhich corresponds to an input or a data request.

After the remote support message process 509 receives the remote supportmessage 521, the remote support message process 509 processes themessage 521. The remote support message 521 may include one payload thatis a peripheral device input payload or request payload. As an example,the payload may be an operating system command, such as a single inputwhich can be converted to a device management system call. If the remotesupport message 521 has multiple payloads, then the remote supportmessage process 509 further examines the message content to ascertainthe payloads of the remote support message 521 and determinedestinations in the target device 501 for the payloads. Based onmetadata for the payloads, the remote support message process 509 canpass the payloads to an appropriate process or function of the targetdevice 501, such as drivers and telemetry processes.

For instance, a remote support message may include a message type fieldand data field for each of the inputs and/or requests which it carries.The remote support message process 509 performs an initial examinationof the structure of the remote support message to determine if it hasreceived a remote support message. For example, remote support messagesmay carry arrays of JavaScript Object Notation (JSON) objects, whereeach JSON object corresponds to a distinct input or request. The remotesupport message process 509 identifies that it has received an arraycontaining multiple elements which are to be processed separately. Theremote support message process 509 then “unpacks” the remote supportmessage to identify the distinct inputs and requests by traversing theJSON objects and route each to a corresponding destination accordingly.

FIG. 6 is a flowchart of example operations for processing a remotesupport message according to a support message protocol at a targetdevice when the remote support process is available at the targetdevice. The example operations refer to a remote support message processas performing the depicted operations for consistency with FIG. 5,although naming of software and program code can vary amongimplementations.

The remote support message process receives a message from an edgedevice (601). The message is communicated from the edge device through amessage pipe which has been established between the edge device and theremote support message process on the target device. The messageindicates inputs and/or requests to be directed towards components orperipheral drivers of the target device. The message can represent oneor multiple peripheral devices, as well as data requests. The messagemay include an element or payload type and data field for each input orrequest indicated in the message. Messages which carry multipledifferent types of message elements/payloads allow for efficientcommunication of commands, peripheral inputs, and/or data requests fromremote technicians (i.e., the remote support software being used by theremote technicians). The type field indicates a peripheral, such asmouse or video card, or a request. The data field includes the providedinput or request.

The remote support message process determines whether the message it hasreceived carries multiple payloads or message elements (603). Themessage may be an input or request which represents one peripheraldevice which can be converted to an operating system command or astandard message designated for a specific device driver (e.g.,input/output device read or write operations). Alternatively, themessage may represent inputs for different peripheral devices and/ormultiple requests. The remote support message process makes this initialclassification based on the message structure. For instance, the remotesupport message process may determine it has received a remote supportmessage that carries multiple payloads by identifying if the messagecontains multiple message type fields. The determination can also bemade based on identification of multiple message objects present withinthe message (e.g., within an array of JSON objects).

If the message represents one input or request which can be converted toa corresponding operating system command, the remote support messageprocess determines the target endpoint (605). The correspondingperipheral device is indicated in the message element type field, suchas whether the message corresponds to a keyboard, mouse, telemetryprocess, etc. The target endpoint is determined based on the messageelement type. For example, the remote support message process maydetermine that the message element type corresponds to a mouse and themessage therefore should be passed to the mouse driver. The remotesupport message process may also identify if the message is a requestbased on the determined target endpoint. For instance, the messageelement type field may identify a telemetry process by name or processidentifier.

The remote support message process routes the message to thecorresponding target device endpoint or invokes a function defined forthe OS or by an application programming interface (API) installed at thetarget device (607). The remote support message process may direct themessage to a driver identified as the target endpoint. The remotesupport message process may instead invoke or more function calls andpass payload/message element data as parameters via the function call tothe target endpoint (e.g., a process or application). For example, themessage element type may have been determined to indicate a mouse inputwith a set of coordinates for the mouse cursor position stored in themessage data field. The remote support message process retrieves thecoordinates stored in the data field for inclusion as a parameter in theoperating system command generated which, when executed, willcommunicate the coordinates with the mouse driver to ultimately updatethe position of the cursor on the target device interface.

If the message is determined to carry multiple messageelements/payloads, the remote support message process traverses eachmessage element to unpack the remote support message content (609).“Unpacking” the content may be traversing elements/objects of themessage carried in the message. The message objects can be multipleinputs and/or requests of different types, each of which may targetdifferent endpoints. For instance, the remote support message may be arequest for telemetry data as well as a mouse input. The remote supportmessage will include type fields for each of the telemetry request andmouse types and data fields for the requested data and the mouse input.The remote support message process distinguishes the message objectswhich have been included in the message so that each element may beprocessed and routed to its target endpoint accordingly.

The remote support message process first determines the target endpointfor the current message element (613). The target endpoint is determinedbased on the message element type indicated in the message.

The remote support message process processes the current message elementand routes the current message element to its target endpoint (615).Message elements are processed such that the endpoint receiving themessage can interpret the message accordingly, such as throughconversion to or generation of an operating system command or functioncall. The operating system command may be a driver API call or a systemcall. The remote support message process may also examine the content ofthe current message element to determine data which should becommunicated to the endpoint (e.g., keystroke data). The remote supportmessage process routes the current message element to the correspondingdestination for serving the request or executing the input. Forinstance, the current message object may be directed to an operatingsystem process or a peripheral device driver.

The remote support message process handles and routes message elementsuntil each of the message elements which was contained in the remotesupport message has been routed (617). After each message element hasbeen processed and routed, each of the inputs and/or requests indicatedin the remote support message which the remote support message processinitially received will have been served or executed accordingly.

FIG. 7 is a diagram of example operations performed by a trusted serverand a remotely controlled support edge device for communicating supportmessages to the edge device. FIG. 7 presumes that a secure connection(e.g., an SSL/TLS encrypted connection) has already been establishedbetween a server resource 701 and a remotely controlled support edgedevice 703. The server resource 701 is “trusted” based on a previouslyestablished security agreement between entities corresponding to theserver resource 701 and the edge device 703 or based on a single entityowning or at least controlling both the server resource 701 and the edgedevice 703. The server resource 701 has also already established asecure connection with a support application used by a remotetechnician.

The server resource 701 detects receipt of a remote support message 705over the secure connection with the remote support application (706).Since the message 705 was transmitted via a secure connection thatterminates at the server resource 701, the server resource 701 decryptsthe remote support message 705 (708). After decrypting the message 705,the server resource 701 identifies a destination edge device for theremote support message 705 (710). The server resource 701 can identifythe destination edge device from metadata in the remote support message705, assuming an identifier was previously communicated to the remotesupport application. In some embodiments, the server resource 701maintains a data structure that associates or binds secure connectionsthat form a secure path from a remote support application to a remotelycontrolled support edge device via the server resource 701. The serverresource 701 can access the data structure based on a connectionidentifier or session identifier of the secure connection between theremote support application and the server resource 701 to identify acorresponding secure connection to the edge device 703.

Based on identifying the destination, the server resource 701 selects acryptography key and secures the message 705 with the selected key(712). The server resource 701 may have access or maintain keys formultiple support edge devices. After identifying the secure connectionto the edge device 703 that corresponds to the secure connection withthe remote support application, the server resource 701 can access a keyrepository or security hardware with an identifier of the edge device703 to select the appropriate key. The server resource 701 may determinethe identifier of the edge device 703 by resolving a connectionidentifier to the edge device identifier or the message may indicate theedge device identifier. Securing the message 705 can be digitallysigning the message 705 with the selected key and using a cryptographichash function. For instance, the server resource 701 may generate a hashof the message with a cryptographic hash function based on the selectedkey. The server resource 701 then appends the hash to the message 705.The server resource 701 may also concatenate the key with the messagesignature or hash. Securing the message can also be encoding orencrypting the message 705 with the selected key. The selected key maybe an encryption key or public key of the edge device 703. This securingof the message is according to a remote support messaging protocol thatis distinct from the securing for the underlying communication protocol,such as securing according to a protocol corresponding to the networklayer or transport layer. After securing the message according to theremote support messaging protocol, the trusted server 701 transmits thesecured message 705 via the secure connection identified for thedestination edge device 703 (714). Transmission along the secureconnection may add another level of security that is dependent upon theprotocol of the secure connection and independent of the securitymechanism being used by the server resource 701 and the edge device 703.

The edge device 703 detects receipt of the secured message 705 over thesecured connection with the server resource 701 (716). For instance, aprocess on the edge device 703 that implements the secured connectionmonitors a receive buffer for messages.

After receipt of the message 705, the edge device 703 decrypts thesecured message 705 and determines a key to validate the message 705(714). The procedure for validation depends upon how the message wassecured. If the message 705 was secured by the server resource 701digitally signing the message 705, then the edge device 703 validatesthe signature. For example, the edge device 703 invokes a librarydefined function implemented by a security module or cryptography chip.In the function invocation, the edge device 703 passes as arguments themessage content and the digital signature. Assuming more than one key ispresent on the edge device 703, an indication of the key would also bepassed as an argument in the function call. The edge device 703 can havea default key indication (e.g., memory slot) for incoming messages froma device that is not the target device. Different keys may be associatedwith different connection mediums and/or different message types.

If the message is determined to be valid (720), then the edge device 703processes the message 705 (722). Processing the message may be operatingin accordance with the message, passing the message to a device emulatoron the edge device 703, and/or forwarding the message along a directmessage path to the target device via an internal peripheral device thatthe edge device 703 presents to a target device. Operating in accordancewith the message can include configuring components of the edge device703 (e.g., turning on a radio or connecting to a network). Operating inaccordance with the message can also include change of mode of operationfor processing incoming messages from the trusted server, such as theemulator mode and a direct mode. The default mode of operation may bethe emulator mode, in which the edge device 703 passes incoming messageto an internal emulator that presents emulated peripheral devices to atarget device. The edge device 703 may switch to the direct mode basedon a command message from the trusted server, which can be based on theedge device 703 detecting a functionality criterion for the targetdevice being satisfied (e.g., detecting that a support agent or supportmessage process is running on the target device). In some embodiments,the edge device 703 may not validate messages when operating in a directmode. The edge device 703 can inform the trusted server that the edgedevice 703 is operating in the direct mode and cause the server resource701 to stop securing the messages sent to the edge device 703 beyondthat provided by the secure connection. Instead, the edge device 703secures the messages passed along the direct message path to the targetdevice and the remote support message process on the target device wouldvalidate messages. The target device remote support message processwould validate messages from the edge device 703 according to avalidation technique agreed upon between the edge device 703 and theremote support message process on the target device. This securing ofmessages to ensure message authenticity from an appropriate source canalso employ one-time validation codes generated by the remote supportmessage process to avoid replay attacks.

If the message is not valid, then the edge device 703 discards themessage 705 (724). The edge device 703 can generate notification aboutthe invalid message and/or track occurrences of invalid message forlater inspection and/or notification.

FIG. 8 is a diagram of example operations performed by a trusted serverresource and a remotely controlled support edge device for communicatingfeedback messages to the trusted server. FIG. 8 presumes that a secureconnection has already been established between a trusted serverresource 803 and a remotely controlled support edge device 801. The edgedevice 801 has already detected a remote support message process orremote support agent executing on a target device that is sendingfeedback messages.

The server resource 803 detects receipt of a feedback message 805 fromthe remote support agent on the target device (806). Whether traversingthe direct message path or the video path, the message is detected bythe software running on the onboard computer of the edge device 801. Theedge device 801 secures the message 805 with the key of the edge device801 that corresponds to the secure connection with the server resource803 (808). As previously mentioned, this securing may be digitallysigning or encrypting the message 805. After securing the message, theedge device 801 transmits the message 808 along the secure connectionestablished with the server resource 803 (810).

The server resource 803 detects receipt of the message 805 via thesecure connection with the edge device 801 (812). Since the message 805was encrypted according to the connection protocol of the secureconnection, the server 803 decrypts the received message to obtain themessage 805 and then validates the message 805 (814). The server 803validates the message 805 with a key associated with the secureconnection. The key may be associated with the secure connection in atable or data structure maintained by the server 803 that relates secureconnections forming a secure path from a remote support application of atechnician to a support edge device. The server 803 may determine a keyfor validation by looking up a support edge device identifier in adatabase of support edge device identifiers and corresponding keys. Thesupport edge device identifier may be indicated in the message 805 or inthe structure of secure paths maintained by the server 803.

If the message 805 is determined to be valid (816), then the server 803identifies a secure connection to transmit the message 805 to the remotesupport application of the technician (818). The outbound secureconnection is determined from previously mentioned data maintained bythe server 803 that describes paths traversing the server 803. In somecases, individual processes bound to each pair of secure connectionsprocesses support message, in which case a path structure may not beused. After identifying the secure connection for transmission, theserver 803 transmits the validated message 805 via the identified secureconnection (820).

If the message 805 is invalid (816), then the message 805 is discarded.The server 803 may maintain a log of discarded messages or store invalidmessages for later investigation.

The example operations in FIG. 8 presume that the edge device 801 andserver 803 continue ensuring authenticity of messages regardless ofoperational mode of the support edge device 801. As mentioned in FIG. 7,the support edge device 801 and the server 803 may discontinue securingsupport messages (distinct from any securing for the communicationprotocol) between each other when the support edge device 801 operatesin the direct mode or direct message path mode. For such embodiments,the support edge device 801 and the target device can perform operationsto ensure authenticity of support messages and avoid attacks on theconnection between the support edge device 801 and the target device.The edge device 801 would not secure the message (808), but insteadvalidate the message from the target device.

FIG. 9 is a diagram of example operations performed by a remotelycontrolled support edge device and a target device. The exampleoperations of FIG. 9 relate to the transition of responsibility forensuring authenticity of support messages from the trusted server-RCsupport edge device pair to the RC support edge device-target devicepair based on a switch to direct mode or the direct message path. FIG. 9depicts dashed lines for the flow of operations that diverge from thedirect mode (i.e., emulator mode).

Either based on direct commands from a remote technician via a RCsupport edge device 901 or a local execution command on a target device903, a remote support process or remote support message process launcheson the target device 903 (902). The program code for the remote supportprocess may be installed from the edge device 901 or have beenpreviously installed on the target device 903. After launching, theremote support process generates a random validation code, such as aone-time password or pin code (904)—illustrated in FIG. 1 as 1E4558. Thetarget device 903 communicates the validation code in a message 95 tothe edge device 901. Based on receipt of the validation code from thetarget device 903, the edge device 901 indicates a direct mode as anoperational mode for the edge device 901 (906). This can be setting aflag or value to indicate to support software executing on an onboardcomputer of the edge device 901 that remote support messages from thetrusted server should be forwarded along the direct message path via theinternal peripheral device that the edge device 901 presents to thetarget device 903. The edge device 901 can also implicitly indicatedirect mode by, for example, storing the validation code in memorylocation reserved for the validation code corresponding to direct mode.

At a different time, the edge device 901 receives a remote supportmessage 907 and determines whether to process the message 907 in thedirect mode or emulator mode (908). The edge device 901 may read areserved memory location or pre-define memory location to determinewhether a flag or value indicates direct mode. If the edge device 901determines that it is operating in direct mode, then the edge device 901digitally signs the remote support message and indicates the validationcode (910). The edge device 901 digitally signs the remote supportmessage with key of the edge device 901 that the target device “knows”corresponds to the edge device 901. The target device 903 may “know” thekey corresponds to the edge device 901 because the key was previouslycommunicated to the target device 903 along with an identifier of theedge device, the remote support process has been configured with thekey, etc. The edge device 901 transmits the digitally signed message 907with the indication of the validation code to the target device 903.Based on receipt of the message 907, the target device 903 attempts tovalidate the received message (912). To validate, the target device 903validates the digital signature and the validation code. If validated,the target device 903 processes the message (e.g., passes to a devicedriver, invokes a function call, etc.). If not validated, the targetdevice 903 discards the message.

If the edge device 901 determined that the message 907 was receivedwhile operating in the emulator mode (908), then a different messagepath is taken. The edge device 901 passes the message 907 to a HIDemulator on the edge device 901 (914). The HID emulator on the edgedevice 901 extracts from the message 907 input data or command data forone or more human interface devices presented by the emulator to thetarget device 903 (916). The HID emulator generates a device message(s)909 according to the extracted data (916) and transmits the message 909to the target device 903. The target device 903 then processes themessage 909 by passing the message 909 to the operating system call or adevice driver indicated in the message 909 (918).

When remote support feedback is generated, the remote support process onthe target device 903 detects the remote support feedback (920). Theremote support process may receive data (e.g., system information)pursuant to an operating system call, inter-process communication,responsive to invoking an API function for obtaining performance dataabout the target device 903, etc. The remote support process alsodetects screen/display updates after conveying commands and/or inputsreceived in messages from the edge device 901. The remote supportprocess may detect the screen/display updates by detecting pixel updatesor display commands from an application on the target device 903 or theoperating system of the target device 903. The remote support processreceives these pixel updates or display commands either directly becauseit has indicated itself as a destination for pixel updates or displaycommands to applications and the operating system, or receives themindirectly. The remote support process on the target device may receivethese display updates from a graphics process that is part of a remotesupport application corresponding to the remote support process or islaunched by the remote support process. The remote support processgenerates a remote support feedback message 911 with the detectedfeedback as a payload(s) (922). The remote support process may detectmultiple feedback and wrap the multiple feedback into a message asmultiple payloads. For example, the remote support process may generatea JSON object for a display update and a JSON object for telemetry data.The message is formatted according to the remote support protocol thatdefines the formatting of messages being exchanged between the remotesupport software used by the remote technicians, the edge device 901,and the target device 903. The remote support process communicates themessage 911 over the connection or link between the target device 903and the edge device 901. The edge device 901 encodes the remote supportfeedback message according to the protocol of the secure communicationconnection established between the edge device 901 and a trusted server(924). For instance, the edge device 901 encrypts the message 911 withan SSL or TLS session key.

Variations

The above example illustrations depict and describe a wired connectionbetween the remotely controlled (RC) support edge device and a targetdevice. Embodiments can employ other connection types based on the levelof security desired for the target device. For instance, the NFCcomponents of the RC support edge device can be used to communicate witha target device. Other types of connection mediums associated with aprotocol that allows for plug-n-play or hot swapping functionality couldalso be used.

The above example illustrations also depict the RC support edge deviceas a cube device, but embodiments are not so limited. Embodiments of theRC support edge device can take form as a sphere. The sphere RC supportedge device can be created with additional components, such as agyroscope and additional control software to allow a RC support edgedevice to control movement of the sphere RC support edge device.

The flowcharts are provided to aid in understanding the illustrationsand are not to be used to limit scope of the claims. The flowchartsdepict example operations that can vary within the scope of the claims.Additional operations may be performed; fewer operations may beperformed; the operations may be performed in parallel; and theoperations may be performed in a different order. It will be understoodthat each block of the flowchart illustrations and/or block diagrams,and combinations of blocks in the flowchart illustrations and/or blockdiagrams, can be implemented by program code. The program code may beprovided to a processor of a general purpose computer, special purposecomputer, or other programmable machine or apparatus.

As will be appreciated, aspects of the disclosure may be embodied as asystem, method or program code/instructions stored in one or moremachine-readable media. Accordingly, aspects may take the form ofhardware, software (including firmware, resident software, micro-code,etc.), or a combination of software and hardware aspects that may allgenerally be referred to herein as a “circuit,” “module” or “system.”The functionality presented as individual modules/units in the exampleillustrations can be organized differently in accordance with any one ofplatform (operating system and/or hardware), application ecosystem,interfaces, programmer preferences, programming language, administratorpreferences, etc.

Any combination of one or more machine readable medium(s) may beutilized. The machine readable medium may be a machine readable signalmedium or a machine readable storage medium. A machine readable storagemedium may be, for example, but not limited to, a system, apparatus, ordevice, that employs any one of or combination of electronic, magnetic,optical, electromagnetic, infrared, or semiconductor technology to storeprogram code. More specific examples (a non-exhaustive list) of themachine readable storage medium would include the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a portable compact disc read-only memory (CD-ROM), anoptical storage device, a magnetic storage device, or any suitablecombination of the foregoing. In the context of this document, a machinereadable storage medium may be any tangible medium that can contain, orstore a program for use by or in connection with an instructionexecution system, apparatus, or device. A machine readable storagemedium is not a machine readable signal medium.

A machine readable signal medium may include a propagated data signalwith machine readable program code embodied therein, for example, inbaseband or as part of a carrier wave. Such a propagated signal may takeany of a variety of forms, including, but not limited to,electromagnetic, optical, or any suitable combination thereof. A machinereadable signal medium may be any machine readable medium that is not amachine readable storage medium and that can communicate, propagate, ortransport a program for use by or in connection with an instructionexecution system, apparatus, or device.

Program code embodied on a machine readable medium may be transmittedusing any appropriate medium, including but not limited to wireless,wireline, optical fiber cable, RF, etc., or any suitable combination ofthe foregoing.

Computer program code for carrying out operations for aspects of thedisclosure may be written in any combination of one or more programminglanguages, including an object oriented programming language such as theJava® programming language, C++ or the like; a dynamic programminglanguage such as Python; a scripting language such as Perl programminglanguage or PowerShell script language; and conventional proceduralprogramming languages, such as the “C” programming language or similarprogramming languages. The program code may execute entirely on astand-alone machine, may execute in a distributed manner across multiplemachines, and may execute on one machine while providing results and oraccepting input on another machine.

The program code/instructions may also be stored in a machine readablemedium that can direct a machine to function in a particular manner,such that the instructions stored in the machine readable medium producean article of manufacture including instructions which implement thefunction/act specified in the flowchart and/or block diagram block orblocks.

FIG. 10 depicts an example computer system with a remote support messageprocessor. The computer system includes a processor 1001 (possiblyincluding multiple processors, multiple cores, multiple nodes, and/orimplementing multi-threading, etc.). The computer system includes memory1007. The memory 1007 may be system memory (e.g., volatile ornon-volatile memory) or any one or more of the above already describedpossible realizations of machine-readable media. The computer systemalso includes a bus 1003, a connection interface 1002, and a networkinterface 1005. The system also includes a remote support messageprocessor 1011. The remote support message processor 1011 communicateswith counterpart software executing on a RC support edge device thatsends messages that may carry inputs for a represented peripheral deviceover a single connection between the RCE support edge device and thecomputer system. The single connection may be with the connectioninterface 1002 or the network interface 1005. The remote support messageprocessor 1011 examines a received message to determine whether themessage carries a single element or multiple elements of differenttypes. The remote support message processor 1011 may pass the message toa driver, invoke a function call, call an operating system command ofthe computer system. The received message conforms to a remote supportmessage protocol that specifies layout of message elements when multipleelements are carried in a message. The remote support message protocolspecifies whether the message is an array of objects that eachself-identify a target endpoint. The remote support message protocol mayspecify field sizes for type fields to indicate a target endpoint for asubsequent field that carries the data to be consumed by the targetendpoint or data to be passed as parameters in a function invocation.Any one of the previously described functionalities of the remotesupport message processor 1011 may be partially (or entirely)implemented in hardware and/or on the processor 1001. For example, thefunctionality may be implemented with an application specific integratedcircuit, in logic implemented in the processor 1001, in a co-processoron a peripheral device or card, etc. Further, realizations may includefewer or additional components not illustrated in FIG. 10 (e.g., videocards, audio cards, additional network interfaces, peripheral devices,etc.). The processor 1001 and the network interface 1005 are coupled tothe bus 1003. Although illustrated as being coupled to the bus 1003, thememory 1007 may be coupled to the processor 1001.

Plural instances may be provided for components, operations orstructures described herein as a single instance. Finally, boundariesbetween various components, operations and data stores are somewhatarbitrary, and particular operations are illustrated in the context ofspecific illustrative configurations. Other allocations of functionalityare envisioned and may fall within the scope of the disclosure. Ingeneral, structures and functionality presented as separate componentsin the example configurations may be implemented as a combined structureor component. Similarly, structures and functionality presented as asingle component may be implemented as separate components. These andother variations, modifications, additions, and improvements may fallwithin the scope of the disclosure.

Use of the phrase “at least one of” preceding a list with theconjunction “and” should not be treated as an exclusive list and shouldnot be construed as a list of categories with one item from eachcategory, unless specifically stated otherwise. A clause that recites“at least one of A, B, and C” can be infringed with only one of thelisted items, multiple of the listed items, and one or more of the itemsin the list and another item not listed.

A method comprises establishing, by an edge device, a first networkconnection with a first network after the edge device validates a firstsigned request to connect to the first network, wherein the signedrequest was communicated to the edge device. After establishing thefirst network connection, the edge device establishes a first securecommunication connection between the edge device and a server. The edgedevice captures video of a target device and transmits the video via thefirst secure communication connection. Based on the edge devicedetecting the target device via a connection medium that connects theedge device to the target device, the edge device presents an emulatedhuman interface device to the target device via the connection medium.Based on receipt of a first message over the first secure communicationconnection, the edge device transmits via the connection medium a firstinput indicated in the first message as first input for the emulatedhuman interface device.

The method further comprises the edge device wirelessly communicating aunique identifier of the edge device in response to detection of anactivation input to the edge device.

The method further comprises the edge device presenting via a display onthe edge device a unique identifier of the edge device in response todetection of an activation input to the edge device.

The method further comprises validating the first signed request with afirst security key that is locally stored on the edge device. The firstsecurity key was bound to the edge device at a root of trust.

In the method, the first signed request was signed by the server.

The method further comprising identifying the server with which toestablish the first secure communication connection from the firstsigned request.

In the method, the connection medium is a wireless or a wired connectionmedium.

The method further comprising the edge device detecting a feedbackmessage from the target device and forwarding the feedback message tothe server via the first secure communication connection. The feedbackmessage comprises screen capture data or display update data.

The method further comprising the server communicating the feedbackmessage and the video to an authorized endpoint via a second securecommunication connection established between the authorized endpoint andthe server and the server communicating the first message to the edgedevice based on receipt of the first message from the authorizedendpoint.

The method further comprising the edge device validating the firstmessage based on a digital signature associated with the first messagewith a security key bound to the edge device, wherein validating thefirst message is distinct from message authentication corresponding to asecurity protocol of the first secure communication connection.

A system comprising an edge device having a plurality ofmachine-readable media, a video camera, a radio, a wired connectioninterface, an onboard computer, a human interface device emulator, and aconfigurable peripheral device. A first of the machine-readable mediacomprises program code executable by a processor of the onboard computerto cause the edge device to indicate a unique identifier of the edgedevice based on activation of the edge device; validate a signedconfiguration request with a first key stored on the edge device;connect via the radio to a network after validation of the signedconfiguration request which indicates the network; establish a firstsecure communication connection with a server previously identified tothe edge device; determine which of a plurality of operational modes isindicated in the edge device; communicate messages received over thefirst secure communication connection over a first message path based ona determination that the edge device is operating in a first mode,wherein the first message path includes the configurable peripheraldevice; communicate messages received over the first securecommunication connection over a second message path based on adetermination that the edge device is operating in a second mode,wherein the second path includes the human interface device emulator;and communicate feedback messages from the target device to the servervia the first secure communication connection.

The system further comprising the server, the server having amachine-readable medium comprising program code executable by the serverto cause the server to establish the first secure communicationconnection with the edge device and a corresponding second securecommunication connection with a support application that is remote fromthe edge device and the server; sign messages from the supportapplication with a second key accessible to the server, wherein themessages are signed prior to transmission of the messages to the edgedevice from the server and wherein the first key corresponds to thesecond key, wherein the server signing the messages with the second keyis distinct from message authentication based on a communicationprotocol corresponding to the second secure communication connection.

In the system, the first and second keys are a pre-shared key distinctfrom any key used for the first and the second secure communicationchannels.

In the system, the second machine-readable medium of the server furthercomprises program code executable by the server to cause the server todetermine authorization of an authenticated user to configure the edgedevice based on receipt of a request that indicates credentials of theauthenticated user and identifies the edge device.

In the system, the second machine-readable medium of the server furthercomprises program code executable by the server to cause the server toauthenticate the credentials indicated in the request to configure theedge device based on receipt of the request.

In the system, the edge device further comprises an activationcomponent, wherein the program code to indicate a unique identifier ofthe edge device is executable by the onboard computer to cause the edgedevice to indicate the unique identifier in response to activation ofthe activation component.

In the system, the wired interface is a universal serial bus compliantinterface.

In the system, the edge device further comprises a cryptographic modulethat stores the first key and validates the signed configurationrequest.

A non-transitory machine-readable medium having program code storedthereon, the program code executable by a processor to cause a computingdevice to establish a first network connection with a first networkafter the computing device validates a first signed request to connectto the first network, wherein the signed request was communicated to thecomputing device; establish a first secure communication connectionbetween the computing device and a server after establishing the firstnetwork connection; capture video of a target device and transmit thevideo via the first secure communication connection; present an emulatedhuman interface device to the target device via the connection mediumbased on the detection of connection to the target device via aconnection medium; and transmit via the connection medium a first inputindicated in the first message as first input for the emulated humaninterface device based on receipt of a first message over the firstsecure communication connection.

What is claimed is:
 1. A system comprising: an edge device having aplurality of machine-readable media, a video camera, a radio, a wiredconnection interface, an onboard computer, a human interface deviceemulator, and a configurable peripheral device, wherein a first of themachine-readable media comprises program code executable by a processorof the onboard computer to cause the edge device to, indicate a uniqueidentifier of the edge device based on activation of the edge device;validate a signed configuration request with a first key stored on theedge device; connect via the radio to a network after validation of thesigned configuration request which indicates the network; establish afirst secure communication connection with a server previouslyidentified to the edge device; determine which of a plurality ofoperational modes is indicated in the edge device; communicate messagesreceived over the first secure communication connection over a firstmessage path based on a determination that the edge device is operatingin a first mode, wherein the first message path includes theconfigurable peripheral device; communicate messages received over thefirst secure communication connection over a second message path basedon a determination that the edge device is operating in a second mode,wherein the second message path includes the human interface deviceemulator; and communicate feedback messages from a target device to theserver via the first secure communication connection.
 2. The system ofclaim 1 further comprising the server, the server having a secondmachine-readable medium comprising program code executable by the serverto cause the server to, establish the first secure communicationconnection with the edge device and a corresponding second securecommunication connection with a support application that is remote fromthe edge device and the server; and sign messages from the supportapplication with a second key accessible to the server, wherein themessages are signed prior to transmission of the messages to the edgedevice from the server and wherein the first key corresponds to thesecond key, wherein the server signing the messages with the second keyis distinct from message authentication based on a communicationprotocol corresponding to the second secure communication connection. 3.The system of claim 2, wherein the first and second keys are apre-shared key distinct from any key used for the first and the secondsecure communication connections.
 4. The system of claim 2, wherein thesecond machine-readable medium of the server further comprises programcode executable by the server to cause the server to authenticatecredentials indicated in a request to configure the edge device based onreceipt of the request.
 5. The system of claim 1, wherein the edgedevice further comprises an activation component, wherein the programcode to indicate a unique identifier of the edge device is executable bythe onboard computer to cause the edge device to indicate the uniqueidentifier in response to activation of the activation component.
 6. Thesystem of claim 1, wherein the wired connection interface is a universalserial bus compliant interface.
 7. The system of claim 1, wherein theedge device further comprises a cryptographic module that stores thefirst key and validates the signed configuration request.